Presentation + discussion:Cross-Site Request Forgery (CSRF) is a well known attack in which a malicious webpage instructs the victim's browser to send out requests to legitimate sites on behalf of the victim, while piggybacking on the authorized sessions of the victim. CSRF attacks are typically transparent for the victim, and for legitimate websites it is hard to differentiate between requests initiated by the victim, and requests initiated by the malicious webpage.

Although this type of vulnerability is already known for about a decade, CSRF recently gained much more attention because of its impact on contemporary e-society. In November 2007, a vulnerability in GMail was exploited to forward incoming mails of the victims to an arbitrary account. In October 2008, Zeller and Felten published a technical report, describing CSRF attacks on four larger websites, including NYTimes.com and INGDirect.com .

Several mitigation techniques are already developed, both for protecting the client as well as the legitimate server. In this presentation, I will give an overview of the possible mitigation techniques and discuss several of the proposed solutions.

Lieven received his Ph.D. in software security in January 2007 and is currently active as Research Manager on Secure Software within the DistriNet research group at the Katholieke Universiteit Leuven (Belgium). His main research interests are in software security and software engineering. In particular, he is working on software verification and web application security. Lieven is a board member of the Belgium OWASP chapter, and organized several editions of the OWASP refereed papers track at the OWASP AppSec EU conferences. Since 2008, he is also a guest lecturer on web application security for the industry course SecAppDev.

Presentation + discussion: Web 2.0 applications are becoming increasingly interconnected and consuming various streams coming from cross domains. It is very challenging to identify these streams and discovering vulnerabilities by fuzzing them. This talk will focus on understanding application architecture, cross domain relationships, XML/JSON stream manipulations and vulnerability detection. Following issues will be discussed with cases, demos and tools.

XML and SOAP poisoning

JSON injections and manipulations

XSS based on XML and JSON

Asynchronous injections

Cross Domain CSRF poisoning

JSON and CSRF

XPATH, XQUERY and SQL over JSON/SOAP

XML and SOAP exploits

Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

Presentation + discussion: As a discipline, software security has made great progress over the last decade. There are now at least 23 large scale software security initiatives underway in enterprises including global financial services firms, independent software vendors, defense organizations, and other verticals. In 2008, Brian Chess, Sammy Migues and I interviewed the executives running nine initiatives using the twelve practices of the Software Security Framework as our guide. The resulting data, drawn from real programs at different levels of maturity was used to guide the construction of a Software Security Maturity Model. This talk will describe the maturity model, drawing examples from many real software security programs. A maturity model is appropriate because improving software security almost always means changing the way an organization works ---people, process, and automation are all required. While not all organizations need to achieve the same security goals, all successful large scale software security initiatives share common ideas and approaches. Whether you rely on the Cigital Touchpoints, Microsoft's SDL, or OWASP CLASP, there is much to learn from practical experience. Use the software security maturity model to determine where you stand and what kind of software security plan will work best for you.

Gary McGraw (aka gem) is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of six best selling books on this topic. The latest, Exploiting Online Games was released in 2007. His other titles include Java Security, Building Secure Software, Exploiting Software, and Software Security; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 90 peer-reviewed scientific publications, authors a monthly security column for darkreading.com, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the School of Informatics. Gary is an IEEE Computer Society Board of Governors member and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine.

Presentation + discussion: the OWASP German chapter has put together a paper to give a better understanding in how and where Web Application Firewalls should be used.

Alexander Meisel is CTO and founder of art of defence. He is in charge of product development, professional services and support. His interest and expertise in the area of security dates back to his thesis in which he wrote about avoiding and tracing distributed denial-of-service attacks. He worked for a Swiss IT service provider as a Web security expert; later he joined LINX, Europe’s largest Internet exchange, where he took care of member network security issues. After working for three years as a senior consultant designing and implementing large Web farms, including security audits with a leading producer of web servers, Alexander switched to a SPX Corporation company, where he was the main project manager for Web application solutions in the SAP area.

Presentation: This talk is a preview of the upcoming Poland talk (still in selection process). The talk will cover a short exegesis of how and where browser vendors talk about security - and what can be seen from a security professionals perspective. The ratio between the growth of new browser technologies and the amount of time for developers to learn working with them could turn out to be a problem - especially when knowing that todays browsers support a vast amount of lost treasures. Amongst them various XML quirks, data islands, SVG fonts etc. which make it hard to protect rich web applications. Surprising but true: several of the most recent in-the-wild browser exploits were possible due to those legacy features like the IE6-8 code execution flaw. Reason enough to dive into a collection of weird techniques and standards exposing attack vectors and scenarios that WAF systems and filters might have some trouble with. The talk also shows some issues regarding IE8 and Opera 10 - as well as current Firefox versions. The conclusion of the talk features an overview of what we can expect during the next months, ways for developers and related parties to deal with those security risks.

Mario Heiderich, is a cologne based CTO for an online enterprise based in Cologne and New York. He was visitor and speaker on several OWASP conferences, maintains the PHPIDS and other security related projects and recently authored a German book on Web Security together with Christian Matthies, fukami and Johannes Dahse. He is currently into browser security and digging the HTML5 specifications.